• Cybercrime
  • Ransomware alarm for eHealth in 2016

    Oh no, “Your computer has been locked!” It’s a heart-sinking message to receive. A report by the Institurtute for Critical Infrastructure Technology (ICIT) says 2016’s when the USA’ll be a hostage to ransomware hackers. US Healthcare’s a target. Africa’s healthcare might be vulnerable too.

    It says the USA’s healthcare sector wasn’t a traditional ransomware target, but it’s detected a change. Locky ransomware may be part of a bigger threat. Hospitals in the USA and Germany have been attacked and had to restore their systems from backups. 

    eHNA’s reported on numerous healthcare cyber-attacks on USA healthcare. Most of it’s been for personal social security information that can be used for fraudulent claims. Ransom attacks are a new and different threat for healthcare. If the volume takes-off, it can become a global challenge.

    Africa’s health systems may be seen as prey too. Stepping up their cyber-security’s essential now.

  • eHNA's not immune to cybercrime

    Over the last couple of week’s eHNA’s been attacked twice. In one of these an intruder originating from an IP address in Russia used Hydra to access our servers. It’s a brute force password-cracking tool that helps an intruder collect data about a target and use it to construct possible passwords. Once inside, the unwelcome visitor left some destructive scripts.

    Fortunately, we found and removed the mischievous code shortly after it was deposited, so the damage was negligible and halted. We should be able to protect ourselves from Hydra with stronger passwords, though a determined intruder is likely to have a lot more than Hydra in a toolkit of intrusion tricks.

    It’s a timely reminder that cyber-crime’s on the increase and no one is immune. eHNA will continue to follow and improve the layering advice we reported and the goals to:

    Be constantly vigilant Do what’s needed to stay one step ahead of intruders When we fail, get eHNA up again quickly. 

    eHNA’s here to stay. Thank you for your support.

  • Are there two different responses to ransomware?

    Ransomware’s easy money if victims pay up. In the USA, two recent responses show there’s two choices. NBC News reports that staff at Hollywood Presbyterian Medical Center noticed "significant IT issues and declared an internal emergency,” said hospital President and CEO Allen Stefanek. The deterioration disrupted routine administrative operations. BBC News technology site reports that the Center’s paid a ransom of about US$17,000 in response to a 40 bitcoin demand.

    The Center said it was the quickest and most efficient way to restore its information systems and administrative functions was to pay the ransom in exchange for the decryption key. All systems currently in use had been cleared of malware and thoroughly tested.

    It shows Africa’s health systems a possible going rate for fixing some ransomware attacks on healthcare organisations. Minimising their impact offers a better way.


  • Ten healthcare cyberattack trends

    Cyberattacks around the world are growing in size and complexity. This has been confirmed by Arbor Networks in its 11th Annual Worldwide Infrastructure Security Report, says an article in Healthcare IT News.

    The survey garnered 354 responses, up from 287 received last year, from a mix of Tier 1 and Tier 2 and 3 service providers, hosting, mobile, enterprise and other types of network operators from around the world. “This report provides broad insight into the issues network operators around the world are grappling with on a daily basis,” Arbor Networks Chief Security Technologist Darren Anstee said in a statement announcing the report. “The findings from this report underscore that technology is only part of the true story since security is a human endeavor and there are skilled adversaries on both sides.”

    Arbor Networks lists the top five Distributed Denial of Service (DDOS) trends and the top five advanced threat trends. DDoS usually involves a system infected with a Trojan: malware designed to give unauthorized access to a user’s computer.

    The top five DDOS threats are:

    Change in attack motivation Attack size continues to grow Complex attacks on the rise Cloud under attack Firewalls continue to fail during attacks.

    The top five advanced threat are:

    Focus on better response Better planning Insiders in focus Staffing quagmire Increasing reliance on outside support.

    As Africa’s eHealth steps up its cyber-security, Arbor’s trends help to prepare for the future rather than deal with just the present. How these change will no doubt be in the 12th edition.

  • African countries still targets for cybercriminals

    Tanzania was the most attacked country in the world in October 2015 according to Check Point Software Technologies and reported by eHNA. It took a massive jump to 78th position on the list of 140 countries examined at the end of November. Namibia, which was in fifth position, has replaced Tanzania to become the most-attacked African nation, placing second in November, after Saudi Arabia, says an article in IT-Online.

    Check Point Software Technologies revealed the most common malware families to attack organisations’ networks and mobile devices globally in November 2015. Eight African countries are among the top 20 most-attacked nations. Other African nations that appeared in the top 20 include Cameroon (3rd), Mauritius (6th), Tunisia (7th), Malawi (10th), Botswana (14th), Nigeria (17th) and Lesotho (20th). South Africa slipped four places to 63rd, from 67th in October, while Kenya is now the 49th most attacked nation from 52nd in October. 

    “We’re seeing an ongoing trend of cybercriminals exploiting weaker security controls in less developed African nations to target their more advanced counterparts,” says Doros Hadjizenonos, country manager of Check Point South Africa. “The rise in mobile malware also highlights the growing need for organisations to protect their employees’ mobile devices, which process and carry valuable corporate data. Attackers have realised that these devices are an easier target compared with corporate networks, so it’s critical that organisations deploy protection to prevent them being exploited and stop data leakage.” 

    Based on threat intelligence drawn from its ThreatCloud World Cyber Threat Map, which tracks how and where cyberattacks are taking place worldwide in real time, Check Point identified more than 1,200 different malware families during November. Two of the top three most common malware types, Conficker and Necurs, focus on disabling security services to create more vulnerabilities in the network, enabling them to be compromised further and used for launching Distributed Denial of Service (DDoS) and spam attacks. 

    The top three malware families that accounted for nearly 40% of the total recognised attacks in November were: 

    Conficker accounts for 20% of all recognised attacks, where infected machines are controlled by a botnet and disabled security services, leaving computers even more vulnerable to other infections Cutwail uses a botnet mostly for sending spam, as well as some DDoS attacks Necurs is a backdoor to download further malware onto an infected machine and disable security services to avoid detection.

    Check Point’s research also discovered a 17% increase in the use of mobile malware internationally during November. Xinyin, Ztorg and AndroRAT malware families were the top three most common variants targeting mobiles globally.

    “Organisations face a daily battle to ensure that their networks are not compromised by cybercriminals and it is vital that they know what they are up against. The data for November highlights the fact that attackers are focusing their efforts on malware that can disable security services and infect machines stealthily so they can be more easily exploited,” says Hadjizenonos.

    There are no signs of cybercrime slowing down anytime soon. With both mobile and PC attacks on the rise, African countries with mHealth and eHealth initiatives must be extra vigilant and keep up with all cyber-security developments and updates.

  • Is 2016 a year of Apple attacks?

    With cyber-threats on the rise, thinking it won’t happen to you isn’t a good security strategy. Apple’s users may feel a bit more secure than other users because of its security reputation, but it may have to step its defences up to retain it. Symantec, the cyber-security company, in its report The Apple threat landscape says “A rising number of threat actors have begun developing malware designed to infect devices running Mac OS X or iOS.”

    Dick O’Brien has analysed and assessed the threats. His findings are:

    The global increase in popularity of Apple’s devices in recent years of over 13% of smartphones and more than 7% PCs, has attracted attackers More attackers are developing malware to infect devices running Mac OS X or iOS The number of threats targeting Apple operating systems is still low compared to desktops using Windows mobiles using Android The volume of Apple threats has grown steadily in recent years The number of Apple-related malware infections has spiked, particularly in the past 18 months Security researchers have focused more on vulnerabilities in Apple software, finding numerous high-profile flaws in the past year Zero-day brokers are offering bounties for Apple vulnerabilities, with US$1 million paid recently for a jailbreak of iOS 9.1 If Apple’s popularity keeps growing, it seems likely that these trends will continue.

    While rigorous security and privacy are fundamental to the design of Apple products and services, they’re not entirely immune. Apple users should not be complacent about security, they should take precautions to prevent attacks. It seems a good time for Africa’s health systems to review their cyber-security arrangements for all their Apple’s, and step them up if they look vulnerable.


    Image from BBC

  • African countries high on cybercriminals hit list

    Tanzania was the most attacked country globally in October 2015 in terms of cybercrime. The statistics are from pure-play security vendor, Check Point Software Technologies, says an article in ITWeb Africa. Six other African countries were ranked in the top 20 most-attacked countries, including Malawi ranked 4th, Namibia 5th, Mauritius 7th, Tunisia 8th, Ethiopia 9th and Nigeria 20th, ahead of Kenya ranked 52nd and South Africa 67th.

    Doros Hadjizenonos, Country Manager of Check Point South Africa explains why these countries have been targeted. “Many African countries have well-developed mobile Internet networks that make it affordable for people to be online all the time. Hackers often target less developed countries, which may be behind the likes of South Africa and Kenya in terms of IT security, to gain backdoor access into larger countries or organisations," He further illustrates with this example. "A large bank in South Africa could have a small branch in Tanzania. Hackers could exploit weaker security controls in Tanzania to gain entry into the bank's larger network. This is why third-party links should be subject to even more stringent security controls." While this is true for companies and big NGO’s, it also applies to healthcare chains that have hospitals spread across African countries.

    Based on threat intelligence, the Threat Map tracks how and where cyberattacks are taking place worldwide in real time, and identified more than 1,500 different malware families during October. The three most common malware types focus on remote control of infected PCs, enabling them to be used for launching DDoS and spam campaigns.

    Company says the top three malware families, which accounted for nearly 40% of the total recognised attacks in October, were:

    Conficker accounted for 20% of all recognised attacks, Computers infected by Conficker are controlled by a botnet. It disables security services, leaving computers even more vulnerable to other infections Sality was the second most common attack, making up 10% of the total identified. Sality allows remote operations and downloads of additional malware to infected systems by its operator. Its main goal is to persist in a system to enable remote control and installing further malware Cutwail was the third most common attack, a botnet mostly used for sending spam, as well as some DDoS attacks. 

    Does Africa’s eHealth need to batten down the cyber-hatches and man the cyber-barricades? Whatever its response, it needs to cope with relentless cyber-crime.

  • South Africa's Cybercrimes and Cybersecurity Bill

    The South African draft Cybercrimes and Cybersecurity Bill, currently out for public comment, will bring the country in line with international laws governing online crimes. While this is a step in the right direction, some feel that the Bill is excessively far-reaching, beyond practical plausibility in many instances. An article in IT News Africa says it grants a concerning level of discretion to the State’s security cluster.

    At present, South Africa has no legislation that addresses cybercrimes. The proposed bill has many welcomed clauses such as Section 3, which addresses the unlawful acquisition of personal and financial information with the intention of committing an offence, and it is linked to the Protection of Personal Information Act of 2013. Similarly, Section 9 addresses unlawful acts in respect of malware, Section 10 addresses the unlawful acquisition or access to passwords and access codes, and Section 20 addresses copyright.

    Among the offences detailed in the bill are:

    Personal information and financial information related offences Unlawful access Unlawful interception of data Unlawful acts in respect of software or hardware tools Unlawful interference with data Unlawful interference with computer device, computer network, database, critical database, electronic communications network or National Critical Information Infrastructure Unlawful acts in respect of malware Unlawful acquisition, possession, provision, receipt or use of passwords, access codes or similar data or devices Computer related fraud Computer related forgery and uttering Computer related appropriation Computer related extortion Computer related terrorist activity and related offences Computer related espionage and unlawful access to restricted data Prohibition on dissemination of data message which advocates, promotes or incites hate, discrimination or violence Prohibition on incitement of violence and damage to property Prohibited financial transactions Infringement of copyright Harbouring or concealing a person who commits an offence Attempting, conspiring, aiding, abetting, inducing, inciting, instigating, instructing, commanding, or procuring to commit an offence

    While these clauses don’t specifically mention healthcare, eHealth or mHealth, they strengthen eHealth’s regulatory environment. They’ll go a long way to protecting patients’ health data, their privacy and help increase security. 

  • Health cyber-breaches are 21% of the global total

    Cyber-criminals are part of a big, illicit endeavour. An analysis by Gemalto, a global cyber-security firm, shows some neat, but startling numbers:

    245,919,393 records breached in the first half of 2015 888 successful attacks, so an average of about 277,000 records breached in each attack The top ten attacks breached 82% of the records 50% of breaches don’t know how many records were compromised 62% of breaches were by malicious outsiders 22% were accidentally lost data 53% were identity theft 22% accessed financial data.

    Some averages for data records lost or stolen are 1,358,671 every day = 56,611 every hour = 943 every minute = 16 every second. These show that hackers still break through conventional perimeter security with relative ease. They also target most industries.

    Gemalto has Breach Level Index (BLI). To create it, Gemalto collects information about data breaches globally using numerous sources, including Internet searches and news articles and analyses. It then aggregates the data in its BLI to analyse it by the number of breaches and data records lost, categorised by industry, type of breach, source of breach and country or region.

    Two healthcare organisations are in the top ten. One’s top, with a maximum BLI score of ten. Historically, healthcare has had most data breaches, and the first half of 2015 was the same, with 187, a shade more than 21% the total. It’s about 30% more than the second place on the BLI occupied by financial services, with 143, about 16%. Only one African country, South Africa, is in the BLI with two breaches.

    A summary of the report’s conclusions is that:

    An approach to security of good enough isn’t good enough, it’s obsolete Breach prevention on its own has failed Accepting breaches is constructive Having accepted breaches, securing them’s the challenge, so control users’ access and authentication, encrypt all sensitive data at rest and in motion, and securely store and manage all of encryption keys.

    These are simple steps for Africa’s health systems. They need applying rigorously.

  • Six steps for surviving cyber-breaches

    Corporal Jones is an emotional character in Dad’s Army, an old UK television series in its umpteenth repeat. At the threat of an attack or impending disaster, his first reaction was “Don’t Panic” His second response was “Don’t panic” too, with increasing panic and animated gestures. It’s the main title of Alien Vault’s white paper, DON’T PANIC! 6 STEPS TO SURVIVING YOUR FIRST BREACH.

    Its core principle is that being breached doesn’t determine whether or not you’ve good security, but how you respond does. The next step is not to believe that your network security is protecting your organisation’s information assets. It doesn’t, it enables you to limit how your network can be attacked, and hope that hope that you can respond to all attacks adequately. It’s like a game of chess. Africa’s eHealth can adopt these and Alien Vault’s six steps to enhance its eHealth security.

              1. Build relationships outside of the ICT department.

    A breach involves people and roles from many departments. Maintaining an established channel with them and an understanding of how both your and their jobs interact during a security breach can save a lot of rushed paperwork and tense meetings during the crisis. ICT teams are there to lessen the impact of breaches, not to stop them which is almost impossible

              2. Get the “I told you so” off your chest now

    A security control that isn’t monitored is worse than no control at all. Intrusion Detection Systems need someone to administer them actively. Security breaches don’t happen in a matter of minutes. The initial signs of intrusion and persistence may show up in logs from months ago, so it makes sense to retain and store data for long periods to detect trends.

              3. Comply with regulations, and then go further

    The top priority during a breach is information, and it takes time to acquire and assemble it. Keep users and management informed about decisions such as shutting down large portions of the network and minimising rumours.

              4. Give everybody the answers they need, not the answers they deserve

    Cyber-criminals like to find easy ways in, so don’t assume they knew how to target administrators’ accounts because of some insider information. What you are trying to unravel in days may have taken intruders months to construct, so you need to work back to the start points. Use checklists methodically to cross-examine your investigations to ensure thoroughness.

              5. When you’ve eliminated the impossible, whatever remains, no matter how improbable, must be the truth.

              6. Practice makes perfect.

    Prepare for breaches and practice it. Benjamin Franklin had this sussed when he said “By failing to prepare, you are preparing to fail.”

    For Africa’s overstretched eHealth resources, the challenge is to find the time to prepare. When a breach occurs, the challenge becomes to explain why there was no preparation.